|
1 | 1 | # Claimant Model |
2 | 2 |
|
3 | | -This paper introduces an intuitive, standalone model for a common scenario where one party needs to perform an action which is reasonable only if a claim made by another party is true. The Claimant Model allows formally verifiable constructs to be bound to a messy reality. |
| 3 | +The Claimant Model provides a framework for analyzing trust in systems. It helps map formal cryptographic or verifiable constructs to real-world scenarios where one party needs to rely on information provided by another. |
4 | 4 |
|
5 | | -## Model |
| 5 | +## Core Roles |
6 | 6 |
|
7 | | -*This model describes roles, not actors. In a concrete deployment of this model, the same actor may play multiple roles, or multiple actors may need to work together to cover a role.* |
| 7 | +*Note: This model describes **roles**, not specific actors. In practice, a single actor might play multiple roles, or multiple actors might share a single role.* |
8 | 8 |
|
9 | | -There is a **Claimant** that makes a **Claim** that is relied upon by a **Believer** as a precondition to take an action they would not have taken if the claim was false. Claims are represented by signed **Statements**. The veracity of a Claim can be verified by a **Claim Verifier**, who will notify a **Claim Arbiter** of any false Claims. |
| 9 | +The model defines five key roles: |
10 | 10 |
|
11 | | -## Example: Certification Claims |
| 11 | +* **Claimant**: The party that makes a **Claim**. |
| 12 | +* **Claim**: A falsifiable logical statement made by the Claimant. |
| 13 | +* **Statement**: The concrete data (usually signed) that represents the Claim. |
| 14 | +* **Believer**: The party that relies on the Claim to take an action. They would not take this action if the Claim were false. |
| 15 | +* **Claim Verifier**: The party that checks whether the Claim is actually true. |
| 16 | +* **Claim Arbiter**: The party that handles disputes and takes action if a false Claim is discovered. |
12 | 17 |
|
13 | | -As a concrete example of the Claimant Model in action, we'll model one of the core claims made by [Certificate Authorities](https://en.wikipedia.org/wiki/Certificate_authority) (CAs). |
14 | | -A CA should create and sign a Certificate, *only at the request of the Domain Owner*. |
15 | | -A user's web browser receives this cert when attempting to establish a secure connection to a domain, and proceeds with the connection only if it was signed by a CA that the Browser Vendor has blessed. |
16 | | -In the event of a CA issuing bad certificates, the Browser Vendor can protect their users by removing the CA from the blessed set. |
17 | | -The only party which can verify that a certificate was issued under authorization is the Domain Owner. |
| 18 | +## Example: Certificate Transparency |
18 | 19 |
|
19 | | -<dl> |
20 | | -<dt>Claim<sup>CERT</sup></dt> |
21 | | -<dd><i>"I, ${CA}, am authorized to certify $pubKey for $domain"</i></dd> |
22 | | -<dt>Statement<sup>CERT</sup></dt> |
23 | | -<dd>X.509 Certificate</dd> |
24 | | -<dt>Claimant<sup>CERT</sup></dt> |
25 | | -<dd>Certificate Authority</dd> |
26 | | -<dt>Believer<sup>CERT</sup></dt> |
27 | | -<dd>Web Browser</dd> |
28 | | -<dt>Verifier<sup>CERT</sup></dt> |
29 | | -<dd>Domain Owner</dd> |
30 | | -<dt>Arbiter<sup>CERT</sup></dt> |
31 | | -<dd>Browser Vendor</dd> |
32 | | -</dl> |
| 20 | +To see the model in action, consider how it applies to web security and Certificate Authorities (CAs). |
33 | 21 |
|
34 | | -The Browser has sufficient trust in the CA to employ a strategy of [Trust But Verify](#trust-but-verify), however this model alone does not provide a mechanism to ensure that any Statement<sup>CERT</sup> relied on by Believer<sup>CERT</sup> can be discovered by Verifier<sup>CERT</sup>. This is why Certificate Transparency was created; to allow verifiers to discover all of the certificates that have been believed. |
35 | | -Using Logs to provide this discoverability is described in [Claimant Model: Logs](Logs.md). |
| 22 | +* **Background**: A CA signs a digital certificate for a domain. A web browser trusts this certificate to establish a secure connection. |
| 23 | +* **The Tension**: A CA should only issue a certificate if the domain owner requests it. If a CA issues a certificate maliciously or by mistake, the browser relies on a false claim. |
36 | 24 |
|
37 | | -<!-- TODO(mhutchinson): Discuss Closed Loop Systems below and link to this. --> |
| 25 | +Here is how we map this to the Claimant Model roles for this specific domain: |
38 | 26 |
|
39 | | -# Claim Requirements |
40 | | -* The Statement for any claim must be signed by the Claimant to ensure that it is immutable and non-repudiable. |
41 | | -* It must be possible to generate the Claim from the Statement without any additional context. |
42 | | -* Claims must be [falsifiable](https://en.wikipedia.org/wiki/Falsifiability). |
43 | | - |
44 | | -## Compound Claims |
45 | | -When the Claim is composed of multiple subclaims, the Verifier role must be covered by actors that can verify all components of the Claim. |
| 27 | +* **Cert Claim**: *"I, [CA Name], am authorized to certify [Public Key] for [Domain]."* |
| 28 | +* **Cert Statement**: The X.509 Certificate itself. |
| 29 | +* **Cert Claimant**: The Certificate Authority. |
| 30 | +* **Cert Believer**: The Web Browser (which connects based on the cert). |
| 31 | +* **Cert Verifier**: The Domain Owner (the only one who knows if they requested the cert). |
| 32 | +* **Cert Arbiter**: The Browser Vendor (who can remove the CA from the trusted set if they misbehave). |
46 | 33 |
|
47 | | -For example, imagine a Claimant<sup>PRIME</sup> that provides Believer<sup>PRIME</sup> with an integer covered by Claim<sup>PRIME</sup>: *"This is prime, and is uniquely issued to $believerID"*. This is a compound Claim: verification would need to confirm 1) the primality of the integer, and 2) that no other Believer had been issued the same value. |
| 34 | +> [!NOTE] |
| 35 | +> **Notation Note:** In complex systems, we often apply the Claimant Model at multiple layers (e.g., the certificate layer and the log layer). To distinguish roles at different layers, we use descriptive prefixes (like **Cert** Claimant or **Log** Claimant). An alternative way of formatting this in older versions of this documentation was using superscripts (e.g., Claimant<sup>CERT</sup>), but this was deprecated in favor of straight text for accessibility and readability. |
48 | 36 |
|
49 | | -# Believer Strategies |
50 | | -## Trust But Verify |
51 | | -If the Believer has sufficient trust to believe the Claimant for some action, Trust But Verify allows the Believer to take the Claim on face value, and perform the action before the Claim Verifier verifies this Claim. This system requires all Claims trusted by the Believer to be discovered by a Verifier, and this is what is meant by transparency. Such systems generally include a Claim Arbiter that closes the feedback loop by notifying Believers of bad Claimants, and of new Claimants that can be trusted. |
| 37 | +In this example, the Browser has sufficient trust in the CA to employ a "**Trust But Verify**" strategy. However, the model above doesn't guarantee that the **Cert Verifier** (Domain Owner) will ever *see* the certificate that the **Cert Believer** relied on. This gap is why Certificate Transparency was created—to make all issued certificates discoverable. |
52 | 38 |
|
53 | | -## Verify Before Use |
54 | | -If the Believer does not have sufficient trust in the Claimant to perform an action without verifying the claim, then the Believer must wait until the claim is verified. It is attractive to imagine that the veracity of a Claim starts UNKNOWN and then is verified to be either TRUE or FALSE, and this will hold for all time. Reality isn't as kind as this, and the veracity of claims is best considered a degree of confidence that can be very volatile as new data points are brought to light. Believers need to determine what degree of confidence they require before proceeding with an action. The role of the Arbiter is less critical in this strategy, but they can still be included to prevent bad Claimants from wasting other actor's time. |
| 39 | +(For details on how logs fill this gap, see [Claimant Model: Logs](Logs.md)). |
| 40 | + |
| 41 | +## Claim Requirements |
| 42 | + |
| 43 | +For the model to work effectively, Claims and Statements must meet certain criteria: |
| 44 | +* **Signed Statements**: The Statement for any claim must be signed by the Claimant to ensure it is immutable and non-repudiable. |
| 45 | +* **Self-Contained**: It must be possible to extract the Claim from the Statement without needing additional context. |
| 46 | +* **Falsifiable**: Claims must be able to be proven false. |
| 47 | + |
| 48 | +### Compound Claims |
| 49 | + |
| 50 | +Sometimes a Claim is composed of multiple sub-claims. In these cases, the Verifier role must be covered by actors that can verify all components of the Claim. |
| 51 | + |
| 52 | +*Example:* Imagine a **Prime Claimant** that provides a **Prime Believer** with an integer covered by a **Prime Claim**: *"This integer is prime, and it is uniquely issued to [Believer ID]."* This is a compound claim because verification requires checking two different things: |
| 53 | +1. Is the integer actually prime? |
| 54 | +2. Has this integer been issued to anyone else? |
| 55 | + |
| 56 | +## Believer Strategies |
| 57 | + |
| 58 | +How a Believer acts on a Claim depends on their level of trust. There are two primary strategies: |
| 59 | + |
| 60 | +### 1. Trust But Verify |
| 61 | +If the Believer has sufficient trust in the Claimant, they may take the Claim at face value and act on it *before* it is verified. This is how Certificate Transparency works. |
| 62 | +* **Requirement**: This strategy requires all Claims to be discoverable by Verifiers so that accountability is possible after the fact. |
| 63 | +* **Role of Arbiter**: Critical here to penalize bad Claimants and protect future Believers. |
| 64 | + |
| 65 | +### 2. Verify Before Use |
| 66 | +If the Believer does not have sufficient trust, they must wait until the Claim is verified before acting. |
| 67 | +* **Nuance**: Reality is messy, and "verified" often means reaching a certain level of confidence rather than absolute certainty. The Believer must decide what degree of confidence they require. There is also the nuance that a claim can only be verified with the information available at the time. e.g. "This binary contains no known vulnerabilities" may be true when first checked, but if the knowledge base of vulnerabilities changes, then a future check could fail. |
| 68 | +* **Role of Arbiter**: Less critical for blocking actions, but still useful for penalizing bad Claimants to save others' time. |
55 | 69 |
|
56 | 70 | ## Discussion |
57 | | -A Believer can be flexible about which strategy they employ. For example: Trust But Verify might be reasonable for a low-stakes action based on a Claim from a Claimant with a good reputation; allowing the action to be taken without blocking. As the potential loss involved in the action increases, the Believer will demand increased trust in the Claimant and/or a higher degree of verification. Some systems may also provide other incentives, such as some promise of compensation from the arbitration process (e.g. FSCS). |
| 71 | + |
| 72 | +A Believer can be flexible. They might use "Trust But Verify" for low-stakes actions or highly reputable Claimants, but switch to "Verify Before Use" as the risk increases. |
58 | 73 |
|
59 | 74 | <!-- TODO(mhutchinson): Discuss Closed Loop Systems. --> |
0 commit comments